Container Runtimes

Docker

rkt

Reference

Migrating from Cloud-Config to Container Linux Config

Historically, the recommended way to provision a Container Linux machine was with a cloud-config. This was a YAML file specifying things like systemd units to run, users that should exist, and files that should be written. This file would be given to a Container Linux machine, and saved on disk. Then a utility called coreos-cloudinit running in a systemd unit would read this file, look at the system state, and make necessary changes on every boot.

Going forward, a new method of provisioning with Container Linux Configs is now recommended.

This document details how to convert an existing cloud-config into a Container Linux Config. Once a Container Linux Config has been written, it is given to the Config Transpiler to be converted into an Ignition Config. This Ignition Config can then be provided to a booting machine. For more information on this process, take a look at the provisioning guide.

The etcd and flannel examples shown in this document will use dynamic data in the Container Linux Config (anything looking like this: {PRIVATE_IPV4}). Not all types of dynamic data are supported on all cloud providers, and if the machine is not on a cloud provider this feature cannot be used. Please see here for more information.

etcd can be configured in a more general way with a Container Linux Config. This CL Config will use the etcd-member.service systemd unit rather than the etcd2 service understood by cloud-config and coreos-cloudinit. The etcd-member service will download a version of etcd of the user's choosing and run it. This means that in a Container Linux Config both etcd v2 and v3 can be configured.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.etcd:version:3.1.6

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.etcd:name:"{HOSTNAME}"advertise_client_urls:"{PRIVATE_IPV4}:2379"initial_advertise_peer_urls:"{PRIVATE_IPV4}:2380"listen_client_urls:"http://0.0.0.0:2379"listen_peer_urls:"http://{PRIVATE_IPV4}:2380"initial_cluster:"%m=http://{PRIVATE_IPV4}:2380"

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.flannel:version:0.7.0etcd_prefix:"/coreos.com/network2"

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

Locksmith can be configured in the same way under the locksmith section of a Container Linux Config, but some of the accepted options are slightly different. Also the reboot strategy is set in the locksmith section, instead of the update section. Check out the Container Linux Config schema to see what options are available.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.locksmith:reboot_strategy:"reboot"etcd_endpoints:"http://example.com:2379"

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.update:group:"stable"server:"https://public.update.core-os.net/v1/update/"

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

One big difference in Container Linux Config compared to cloud-configs is that the configuration is applied via Ignition before the machine has fully booted, as opposed to coreos-cloudinit that runs after the machine has fully booted. As a result units cannot be directly started in a Container Linux Config, the unit is instead enabled so that systemd will begin the unit once systemd starts.

Note: in this example an [Install] section has been added so that the unit can be enabled.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.systemd:units:-name:"docker-redis.service"enable:truecontents:|[Unit]Description=Redis containerAuthor=MeAfter=docker.service[Service]Restart=alwaysExecStart=/usr/bin/docker start -a redis_serverExecStop=/usr/bin/docker stop -t 2 redis_server[Install]WantedBy=multi-user.target

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.systemd:units:-name:"docker.service"dropins:-name:"50-insecure-registry.conf"contents:|[Service]Environment=DOCKER_OPTS='--insecure-registry="10.0.1.0/24"'

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.systemd:units:-name:"etcd-member.service"enable:true

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.passwd:users:-name:coressh_authorized_keys:-"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQC0g+ZTxC7weoIJLUafOgrm+h..."

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

hostname

The Container Linux Config is intentionally more generalized than a cloud-config, and there is no equivalent hostname section understood in a CL Config. Instead, set the hostname by writing it to /etc/hostname in a CL Config storage.files.* section.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.storage:files:-filesystem:"root"path:"/etc/hostname"mode:0644contents:inline:coreos1

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.passwd:users:-name:"elroy"password_hash:"$6$5s2u6/jR$un0AvWnqilcgaNB3Mkxd5yYv6mTlWfOoCYHZmfi3LDKVltj.E8XNKEcwWm..."ssh_authorized_keys:-"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQC0g+ZTxC7weoIJLUafOgrm+h..."groups:-"sudo"-"docker"

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.storage:files:-filesystem:"root"path:"/etc/resolv.conf"mode:0644contents:inline:|nameserver 8.8.8.8

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.

File specifications in this section of a CL Config must define the target filesystem and the file's path relative to the root of that filesystem. This allows files to be written to filesystems other than the root filesystem.

Under the contents section, the file contents are under a sub-section called inline. This is because a file's contents can be remote by replacing the inline section with a remote section. To see what options are available under the remote section, look at the Container Linux Config schema.

manage_etc_hosts

The manage_etcd_hosts section in a cloud-config can be used to configure the contents of the /etc/hosts file. Currently only one value is supported, "localhost", which will cause your system's hostname to resolve to 127.0.0.1.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.

# This config is meant to be consumed by the config transpiler, which will# generate the corresponding Ignition config. Do not pass this config directly# to instances of Container Linux.storage:files:-filesystem:"root"path:"/etc/hosts"mode:0644contents:inline:|127.0.0.1 localhost::1 localhost127.0.0.1 example.com

This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.